nixos/ssh: allow UsePAM to be disabled

1 files changed, 28 insertions, 0 deletions

diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix
index f71b0a22fe63d..a039986621cab 100644
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@@ -108,6 +108,23 @@ in {
         };
       };
 
+    server-no-pam =
+      { pkgs, ... }:
+      {
+        programs.ssh.package = pkgs.opensshPackages.openssh.override {
+          withPAM = false;
+        };
+        services.openssh = {
+          enable = true;
+          settings = {
+            UsePAM = false;
+          };
+        };
+        users.users.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
+      };
+
     client =
       { ... }: {
         virtualisation.vlans = [ 1 2 ];
@@ -122,6 +139,7 @@ in {
     server_allowed_users.wait_for_unit("sshd", timeout=30)
     server_localhost_only.wait_for_unit("sshd", timeout=30)
     server_match_rule.wait_for_unit("sshd", timeout=30)
+    server_no_pam.wait_for_unit("sshd", timeout=30)
 
     server_lazy.wait_for_unit("sshd.socket", timeout=30)
     server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
@@ -211,5 +229,15 @@ in {
             "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
             timeout=30
         )
+
+    with subtest("no-pam"):
+        client.succeed(
+            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
+        )
+        client.succeed("chmod 600 privkey.snakeoil")
+        client.succeed(
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
+            timeout=30
+        )
   '';
 })